Information for Employers

General Data Protection Regulations

In May 2018, the law changed about how employers record, store and use individuals’
personal data. Previously the Data Protection Act covered how this was managed but the new
GDPR law means you may have to change some of your working practices.

As an employer you need to collect and hold data about your employees to enable you to
employ them and process things like their salary. The GDPR law places a new obligation on
you as an employer to tell your employees in more detail why you collect their data, what you
do with it and how long you expect to retain it.

This sheet will help you to do this and also provides a template privacy notice and consent
form for you to give to your employees.

Your responsibilities as an employer under GDPR

1. Review what personal information you hold about employees and where you keep it,
ensuring that it is accurate, up-to-date and secure.
2. Read the GDPR FAQs sheet so that you can answer questions from your employees
about it
3. Give the attached consent form to your employees and ask them to read and sign it.
This explains to them what information you will be holding, what you are doing with
it and who you will be sharing it with
4. Store the signed consent form with their personal data and keep it secure, preferably
in a locked cabinet
5. Every year, check that your employees are still happy for you to keep their
information by giving them the signed consent form to review, sign and date
6. If an employee leaves, remember to destroy all their data within 6 months and notify
HMRC and your payroll and holding account provider (if you use one) to ensure that
they destroy the data after 7 years

If you are unclear about any of this please contact Connection Support

Oxon - Helplineoxon@connectionsupport.org.uk 01865 410307

MK - sdshelpline@connectionsupport.org.uk 01908 363425
18 August 2018 v1
Author Connection Support
Template: to be given to employees who should sign and return to employer

General Data Protection Regulations

Privacy Notice and Consent form for Employees

In May 2018, the law changed about how employers record, store and use individuals’
personal data. Previously the Data Protection Act covered how this was managed but the new
GDPR law means I have to change some of my working practices.

As your employer I need to collect and hold data about you to enable me to employ you and
process things like your salary. The GDPR law places a new obligation on me as an employer
to tell my employees in more detail why I collect your data, what I do with it and how long I
expect to retain it. I also need to ensure you are fully consenting to this data being collected.

Your consent is requested

I would like your consent to hold personal and special data about you in order that I can
process your employment contract. You are entirely in control of your decision to give
consent to my use of your data as requested in this form. There will be no repercussions if
you choose to withhold consent. However without some data I may not be able to make a
decision on your suitability for employment or comply with the law and therefore I may not
be able to make an offer of employment or.

The specific data I wish to obtain and hold is as follows:

Type of data Why I wish to How long it will be kept Yes Date when
hold it for / No consent was
withdrawn
1 Recruitment data: This will allow Data will be kept for
Previous me to make a duration of your
experience decision on your employment with me.
Skills and suitability for When your employment
qualifications employment is completed, it will be
destroyed after 6 months.
2 Recruitment data: This will allow Data will be kept for
convictions me to make a duration of your
This is classed as decision on your employment with me.
‘special’ data suitability for When your employment
under GDPR and employment is completed, it will be
is more strictly destroyed after 6 months.
controlled
3 Your personal This enables me Data will be kept for
details: to comply with duration of your
Name, address the law and employment with me
etc. maintain correct When your employment
employment is completed, it will be
records destroyed after 6 months.
4 Next of kin and If there is an Data will be kept for
 their contact accident then I duration of your
details can contact your employment with me
emergency When your employment
contacts is completed, it will be
destroyed after 6 months.
5 Health / disability So that I am Data will be kept for
information and aware of any duration of your
details of your medical issues employment with me
GP you may have, When your employment
This is classed as can make is completed, it will be
‘special’ data provision for destroyed after 6 months.
under GDPR and these in your
is more strictly work and know
controlled who to contact if
you have a
medical episode
6 Financial This will allow Data will be kept for the
information: me to comply duration of your
Bank details with the law and employment with me
Tax codes register you as an When your employment
NI number etc. employee with is completed, it will be
HMRC and destroyed after 6 months.
share with (HMRC may keep the
HMRC how data for up to 7 years).
much I pay you.
It will also allow
me to pay you.
7 Financial I will need to Data will be kept by
information: share this payroll provider for 7
Tax codes information with years.
NI number etc. my payroll
service in order
that they can
calculate what I
need to pay you.
8 Financial I will need to Data will be kept by
information share this Holding account provider
Bank Details, information with for 7 years.
salary payments the Holding
account provider
so that they can
pay your salary
to you on my
behalf
(delete if don’t
use the holding
account)
Sharing your data

We need to share your data with third party outside agencies such as various health services
which can support you. Also, we may sometimes need to share your data with our wider team
at Connection Support in case your Support Facilitator is absent and a colleague needs to
cover.

Agency / Authority / Individual Authority Authority not

given (tick) given (tick)
HMRC – see above
Payroll Service - state name :
Holding Account Provider – state name:
Connection Support
Your Social Worker / Healthcare Manager

Agreement to use my data

I hereby freely give my employer (Insert name) consent to use and process my personal data
relating to my employment (examples of which are listed above)

In giving my consent:

I understand that I can ask to see this data to check its accuracy at any time via a subject
access request.

I understand that I can ask for a copy of the personal data held about me at any time, and that
this request is free of charge

I understand that I can request that data that is no longer required to be held can be removed
from my file and destroyed.

I understand that if I leave my employment, my data will be destroyed after 6 months, or if

longer this is stated above

I understand that you are the Data Controller for my employment and I can contact you
directly if I have any questions or concerns about my data.

I understand that if I am dissatisfied with how you use my data, I can make a complaint to the
government body in charge (Information Commissioner’s Office, Wycliffe House, Water
Lane, Wilmslow, Cheshire SK9 5AF or online at www.ICO.org.uk)

Name:

Signature:
Date:

Yours sincerely

(name of employer)

Annually Reviewed
Signature Date